When working with Next-Generation Firewalls (NGFWs), you may come across situations where you need to block specific websites. In this blog post, we'll explore how to block specific sites using a Palo Alto firewall. There are two ways to achieve this, and we'll cover both options.
This blog post assumes you have some familiarity with URL filtering. In a typical setup, you create a URL Filtering profile, configure the categories to allow or block, and attach this profile to your security policies.
Depending on your security requirements, you might block entire categories such as gambling, terrorism, or proxy sites. However, there are times when you only need to block specific sites rather than an entire category.
In this blog post, we'll use cnn.com and samsung.com as examples (no hard feelings toward them, these were just the first sites that came to mind, haha 🙂).
After three and a half years of haggling (the IETF draft that became the RFC was written in May 2021; the original discussions go back to 2013), Nick Buraglio & co managed to persuade pontificators bikeshedding in the v6ops working group that we might need an IPv6 documentation prefix larger than the existing 2001:db8::/32
.
With the new documentation prefix (3fff::/20
) (defined in RFC 9637), there’s absolutely no excuse to use public IPv6 address space in examples anymore.
One of the big questions about IPv6 is: “Should you use /64’s for subnets?” Tom Coffeen joins Eyvonne Sharp, Rick Graziani, and Russ as we discuss the various questions surrounding IPv6 addressing, planning, waste, and … should you /64?
If you use URL filtering on your Palo Alto firewalls, you may come across situations where a specific URL category is set to block, but you need to allow certain sites. For example, you might block the 'social networking' category but still want to allow access to Facebook. Similarly, you may block 'newly registered domains,' but need immediate access to a site categorized as such. While you can request Palo Alto to re-categorize the site, sometimes you need a quicker solution.
In this blog post, we'll look at how to allow access to specific URLs that match a blocked URL category. There are two ways to achieve this, and I’ll cover both.
This blog post assumes you have some familiarity with URL filtering. In a typical setup, you create a URL Filtering profile, configure the categories to allow or block, and attach this profile to your security policies. For instance, if you block the 'proxy-avoidance' category and try to access a site like expressvpn.com, the traffic will be blocked.
To demonstrate this, I'll set the 'proxy-avoidance' category to block. This means that if I try to access expressvpn.com, it will be blocked. Continue reading
XtendISE is a user-friendly web application integrated with Cisco ISE and designed to simplify daily tasks and common challenges related to 802.1X without requiring extensive training on Cisco ISE. XtendISE helps manage MAC addresses, troubleshoot 802.1X authentication issues, and simplify the management of switch 802.1X configurations. It also validates configurations to ensure they are set up correctly and as intended.
We covered the basics of XtendISE in a previous article linked below. In this blog post, we will explore in detail three key features that XtendISE offers.
Typically, when a device doesn’t support 802.1X, we collect its MAC address and add it to a specific group in Continue reading
netlab release 1.9.3 brings these new features:
Other new features include:
A friend of mine recently wrote a nice post explaining how netlab helped him set up a large network topology in a reasonably short timeframe. As expected, his post attracted a wide variety of comments, from “netlab is a gamechanger” (thank you 😎) to “I prefer traditional labs.” Instead of writing a bunch of replies into a walled-garden ecosystem, I decided to address some of those concerns in a public place.
Let’s start with:
At Cloudflare, we treat developer content like a product, where we take the user and their feedback into consideration. We are constantly iterating, testing, analyzing, and refining content. Inspired by agile practices, treating developer content like an open source product means we approach our documentation the same way an open source software project is created and maintained. Open source documentation empowers the developer community because it allows anyone, anywhere, to contribute content. By making both the content and the framework of the documentation site publicly accessible, we provide developers with the opportunity to not only improve the material itself but also understand and engage with the processes that govern how the documentation is built, approved, and maintained. This transparency fosters collaboration, learning, and innovation, enabling developers to contribute their expertise and learn from others in a shared, open environment. We also provide feedback to other open source products and plugins, giving back to the same community that supports us.
Great documentation empowers users to be successful with a new product as quickly as possible, showing them how to use the product and describing its benefits. Relevant, timely, and accurate content can save Continue reading
This post is a textual version of a talk I gave at The 38th Chaos Computer Congress at the end of 2018
Wanted to share this “too weird to believe” SNAFU I found when running integration tests with the Bird routing daemon. It’s irrelevant unless you want Bird to advertise the IPv6 prefix configured on the main loopback interface (lo
) with OSPFv3.
Late last year, I decided to run netlab integration tests with the Bird routing daemon. It passed most baseline netlab OSPFv3 integration tests but failed those that checked the loopback IPv6 prefix advertised by the tested device (test results).
As mentioned in the previous chapter, Recurrent Neural Networks (RNNs) can have hundreds or even thousands of time steps. These basic RNNs often suffer from the gradient vanishing problem, where the network struggles to retain historical information across all time steps. In other words, the network gradually "forgets" historical information as it progresses through the time steps.
One solution to address the horizontal gradient vanishing problem between time steps is the use of Long Short-Term Memory (LSTM) based RNN instead of basic RNN. LSTM cells can preserve historical information across all time steps, whether the model contains ten or several thousand time steps.
Figure 6-1 illustrates the overall architecture of an LSTM cell. It includes three gates: the Forget gate, the Input gate (a.k.a. Remember gate), and the Output gate. Each gate contains input neurons that use the Sigmoid activation function. The reason for employing the Sigmoid function, as shown in Figure 5-4 of the previous chapter, is its ability to produce outputs in the range of 0 to 1. An output of 0 indicates that the gate is "closed," meaning the information is excluded from contributing to the cell's internal state calculations. An output of Continue reading
Hello my friend,
First of all, Happy New Year! We hope that you had a great festive time with your beloved ones, families and friends. That’s the one of the most important part of our lives and, in our opinion, spending some time off the grid impacts our mental well-being positively and gives us energy to move forward and achieve new heights in professional and business areas.
Talking about the topic of today blog post, we thought it will be useful to show you a concept, which is Go (Golang) specific, as there is no such a need in Python. This concept is called “interfaces”, and it is extremely helpful when you work with external data, which you will face working with external data source, e.g. retrieving data from APIs with JSON/XML encoding.
Disclaimer, we talk about interfaces only in the context of the data types in Go (Golang), as it is also used for class composition (object-oriented programming), so we put it aside for now. We may get back to it later in our blog series.
If you follow latest trends, you see that AI in various forms, whether this is agentic AI, Continue reading
The Internet is designed to provide multiple paths between two endpoints. Attempts to exploit multi-path opportunities are almost as old as the Internet, culminating in RFCs documenting some of the challenges. Still, today, virtually all end-to-end communication uses only one available path at a time. Why? It turns out that in multi-path setups, even the smallest differences between paths can harm the connection quality due to packet reordering and other issues. As a result, Internet devices usually use a single path and let the routers handle the path selection.
There is another way. Enter Multi-Path TCP (MPTCP), which exploits the presence of multiple interfaces on a device, such as a mobile phone that has both Wi-Fi and cellular antennas, to achieve multi-path connectivity.
MPTCP has had a long history — see the Wikipedia article and the spec (RFC 8684) for details. It's a major extension to the TCP protocol, and historically most of the TCP changes failed to gain traction. However, MPTCP is supposed to be mostly an operating system feature, making it easy to enable. Applications should only need minor code changes to support it.
There is a caveat, however: MPTCP is still fairly immature, and while it can Continue reading